diff --git a/defaults/main.yml b/defaults/main.yml
index ba4b41a..e620a01 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -73,3 +73,10 @@ droneci_gitea_skip_verify: False
 # droneci_no_proxy: (see below)
 # - drone-server
 # - drone-agent
+
+droneci_iptables_enabled: False
+droneci_open_ports:
+  - name: allow_droneci_web
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport {{ droneci_server_exposed_port }} -j ACCEPT
+    state: present
diff --git a/tasks/setup.yml b/tasks/setup.yml
index 6b3b398..5226136 100644
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@@ -26,5 +26,17 @@
         dest: "{{ droneci_service_directory }}/{{ droneci_license_key | basename }}"
         mode: 0600
       when: droneci_license_key is defined
+
+    - name: Open ports in iptables
+      iptables_raw:
+        name: "{{ item.name }}"
+        rules: "{{ item.rules }}"
+        state: "{{ item.state | default('present') }}"
+        weight: "{{ item.weight | default(omit) }}"
+        table: "{{ item.table | default(omit) }}"
+      with_items: "{{ droneci_open_ports }}"
+      loop_control:
+        label: "{{ item.name }}"
+      when: droneci_iptables_enabled | bool
   become: True
   become_user: root